View Issue Details

IDProjectCategoryView StatusLast Update
0005974unrealircdpublic2021-09-21 17:17
Reporterarmyn Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version5.2.1.1 
Summary0005974: Problem that I can not understand on the "security-groups"
DescriptionIn my configuration I have this:

===================
set {

    /* Protections anti-flood */
        anti-flood {
                /* These limits apply to all users,
                 * Only these 4 settings belong here (and only here):
                 */
                everyone {
                        connect-flood 15:20;
                        handshake-data-flood {
                                amount 4k;
                                ban-action zline;
                                ban-time 1m;
                        }
                        target-flood {
                                channel-privmsg 45:5;
                                channel-notice 15:5;
                                channel-tagmsg 15:5;
                                private-privmsg 30:5;
                                private-notice 25:5;
                                private-tagmsg 30:5;
                        }
                }

               /* These are the "known users" who (if you use default
                 * security group settings) are: registered users
                 * who are identified to services, OR have been connected
                 * to UnrealIRCd for longer than 2 hours.
                 */
                applet-identified {
                        nick-flood 3:60;
                        join-flood 7:60;
                        away-flood 20:60;
                        invite-flood 4:60;
                        knock-flood 4:120;
                        max-concurrent-conversations {
                                users 20;
                                new-user-every 1s;
                        }
                }

                /* Everyone who is not in the known-users group.
                 * These users have lower limits:
                 */
                applet-noidentified {
                        nick-flood 2:60;
                        join-flood 4:60;
                        away-flood 30:120;
                        invite-flood 2:60;
                        knock-flood 2:120;
                        max-concurrent-conversations {
                                users 20;
                                new-user-every 1s;
                        }
                }
                
                /* These are the "known users" who (if you use default
                 * security group settings) are: registered users
                 * who are identified to services, OR have been connected
                 * to UnrealIRCd for longer than 2 hours.
                 */
                known-users {
                        nick-flood 3:60;
                        join-flood 7:60;
                        away-flood 20:60;
                        invite-flood 4:60;
                        knock-flood 4:120;
                        max-concurrent-conversations {
                                users 20;
                                new-user-every 1s;
                        }
                }

                /* Everyone who is not in the known-users group.
                 * These users have lower limits:
                 */
                unknown-users {
                        nick-flood 2:60;
                        join-flood 4:60;
                        away-flood 30:120;
                        invite-flood 2:60;
                        knock-flood 2:120;
                        max-concurrent-conversations {
                                users 20;
                                new-user-every 1s;
                        }
                }
                

        }

        
};




security-group users-1 {
        identified no;
        webirc yes;
        reputation-score 3;
}

security-group applet-identified {
        identified yes;
        webirc yes;
}

security-group applet-noidentified {
        identified no;
        webirc yes;
}

===================

Here is a client connecting:

[17:44:15] -irc.d.com- *** Client connecting: tixxx (o-dcs-fre63d1f0-1@galaxy-9xxxxxcloud-05aef5.xxx.com) [90.1xxxxx] [class: clients] [secure: TLSv1.2-ECDHE-RSA-AES256-GCM-SHA384] [account: tixxx] [reputation: 207] [security-groups: known-users,applet-noidentified,applet-identified,users-1,webirc-users,tls-and-known-users,tls-users]

You have to look instead here:
[security-groups: known-users,applet-noidentified,applet-identified,users-1,webirc-users,tls-and-known-users,tls-users]
It is not normal for "known-users" to show here, as normally it should be ignored just like applet-noidentified it shouldn't show either.

The exact configuration of the "tixxx" client is actually this:
- Connection by SASL (sasl identification)
- It is connected by WEBIRC
- Tixxx is successfully identified by SASL

It should display this:
[security-groups: applet-identified,users-1,webirc-users,tls-and-known-users,tls-users]
but it is not.

As a result, Tixxx is still considered a "known-users" and not like a "applet-identified"

Where could the problem come from?

Cdt
TagsNo tags attached.
3rd party modules

Activities

syzop

2021-09-19 18:39

administrator   ~0022119

Last edited: 2021-09-19 18:40

From https://www.unrealircd.org/docs/Security-group_block:
* identified: if set to yes, then if the user is identified to Services then it is considered a match.
* webirc: if set to yes, then if the user comes from a WEBIRC gateway then it is considered a match.
* tls: if set to yes, then if the user is using a SSL/TLS connection then it is considered a match.
* reputation-score: if set, then if the user has a reputation score of this value or higher, it is considered a match.
* include-mask: if a mask item matches, then the security group is considered a match. (UnrealIRCd 5.2.1 or later)
Any items set to no mean the check will be skipped. Any items set to yes that are true mean the security group matches the user (only 1 item that is set to yes needs to match).

So two important things:
* These are all "OR" matches, so any "yes" means it matched, and we stop looking at other options
* A "no" has no meaning. The only reason "no" exists is so you can override a "yes" from a default security group such as known-users.

armyn

2021-09-21 17:17

reporter   ~0022120

I replaced everything with:

set {

    /* Protections anti-flood */
        anti-flood {
                /* These limits apply to all users,
                 * Only these 4 settings belong here (and only here):
                 */
                everyone {
                        connect-flood 15:20;
                        handshake-data-flood {
                                amount 4k;
                                ban-action zline;
                                ban-time 1m;
                        }
                        target-flood {
                                channel-privmsg 45:5;
                                channel-notice 15:5;
                                channel-tagmsg 15:5;
                                private-privmsg 30:5;
                                private-notice 25:5;
                                private-tagmsg 30:5;
                        }
                }


                /* These are the "known users" who (if you use default
                 * security group settings) are: registered users
                 * who are identified to services, OR have been connected
                 * to UnrealIRCd for longer than 2 hours.
                 */
                known-users {
                        nick-flood 3:60;
                        join-flood 8:60;
                        away-flood 25:60;
                        invite-flood 4:60;
                        knock-flood 4:120;
                        max-concurrent-conversations {
                                users 20;
                                new-user-every 1s;
                        }
                }

                /* Everyone who is not in the known-users group.
                 * These users have lower limits:
                 */
                unknown-users {
                        nick-flood 2:60;
                        join-flood 4:60;
                        away-flood 30:120;
                        invite-flood 2:60;
                        knock-flood 2:120;
                        max-concurrent-conversations {
                                users 20;
                                new-user-every 1s;
                        }
                }
                

        }

        
};

it's much better,
I took out all the rest

Issue History

Date Modified Username Field Change
2021-09-19 18:03 armyn New Issue
2021-09-19 18:39 syzop Note Added: 0022119
2021-09-19 18:39 syzop Note Edited: 0022119
2021-09-19 18:40 syzop Note Edited: 0022119
2021-09-21 17:17 armyn Note Added: 0022120